But what are the Spectre and Meltdown security vulnerabilities, and how do they affect you? This guide—which will be regularly updated—will tell you everything you need to know about Spectre and Meltdown.

What are Spectre and Meltdown?

They are vulnerabilities in modern chip design that could allow attackers to bypass system protections on nearly every recent PC, server and smartphone—allowing hackers to read sensitive information, such as passwords, from memory.

Malicious code running on a computer or even in a web browser could exploit these vulnerabilities to access information held in protected memory.

Meltdown could prove particularly dangerous on unpatched cloud platforms, due to the possibility of malicious code inside a virtual machine being able to read data from the memory of the underlying host computer, with the threat that one cloud customer could steal data from another.

Who does Spectre affect?

Practically every PC, server and smartphone is vulnerable to attacks that exploit the Spectre flaws.

Because Spectre-related attacks exploit the fundamental design of modern processors they could affect far more processors than Meltdown. All of the major processor manufacturers have a wide range of processors vulnerable to Spectre-related attacks, including those from AMD, Arm and Intel.

Only older chips, such as those used in the $35 Raspberry Pi 3, aren't vulnerable to Spectre-related attacks.

Who does Meltdown affect?

Meltdown only affects devices that have Intel, Apple or Arm Cortex A75-based processors.

However, given how widely Intel chips are used in PCs and servers there are still a lot of machines affected, particularly since Meltdown affects Intel chips going back decades, with potentially all out-of-order execution Intel processors since 1995, except Itanium and pre-2013 Atoms, being vulnerable.

Apple has also indicated that all iPhones, iPads and modern Mac devices are affected by Meltdown.

How do Spectre and Meltdown work?

To understand Spectre, you need to grasp the basics of how modern computer processors work.

Modern processors accelerate the rate at which they execute instructions by loading data into the processor's on-board cache memory ahead of when it's needed. Data can be retrieved from this on-board cache far more rapidly than from the computer's main memory.

If a processor is executing a set of instructions that branches depending on the input, then processors will try to guess which branch of instructions is most likely to be executed and load the necessary data into the processor's cache. These processes, called Branch Prediction and Speculative Execution, are what can be exploited by Spectre attacks. The attacker manipulates the processor so it loads a value from protected memory into the cache. They then follow up by attempting to load known data from unprotected memory. If one piece of this known data loads far more rapidly than the others, then they can infer that this data is being retrieved from the cache, and therefore is related to the value stored in protected memory.

Meltdown works slightly differently, taking advantage of a privilege escalation flaw that allows any user able to execute code on the system to access protected memory. This has the effect of neutralizing security models based on address space isolation and paravirtualized software containers.

There are two variants of Spectre attacks, variant 1 known as Bounds Check Bypass, referenced by CVE-2017-5753, and variant 2, known as Branch Target Injection, and referenced by CVE-2017-5715. The Meltdown vulnerability, known as Rogue Data Cache Load, is referenced by CVE-2017-5754.

As of February 2018, security researchers have discovered more than 130 variants of malware designed to exploit either the Spectre or Meltdown flaws, however most were proof-of-concept code rather than being used in actual attacks.

How can I protect against Spectre and Meltdown?

Patches against Meltdown and variant 1 Spectre attacks are being issued by operating system and virtual machine vendors, with patches rolled out on major operating systems such as Windows and macOS, and automatically applied to most systems.

The Linux kernel has also been patched to help mitigate against Meltdown and Spectre-related attacks, with TechRepublic contributing writer Jack Wallen producing a comprehensive guide on how to check if your Linux-based machine is protected, here.

Fixes for the variant 2 of the Spectre attacks require a computer firmware update, which are being issued by chip manufacturers and designers such as Intel and Arm, and sometimes also an operating system kernel update.

Major cloud providers, AWS, Google and Microsoft have updated their systems with the latest updates for Spectre and Microsoft, while virtualization provider VMware has issued patches against both variants of the Spectre attacks.

You can find a comprehensive list of affected computer hardware and software, and the patches issued by vendors, here.

Meltdown is easier to patch against than Spectre, due to Spectre-related attacks exploiting a fundamental design choice in modern processors. Because of the difficulty in addressing Spectre, the patches generally mitigate the risk from attacks, rather than blocking them altogether.

The creator of the Linux kernel, Linus Torvalds, has been particularly critical of how Intel is choosing to patch systems against Spectre variant 2, describing the updates as garbage, due to operating system makers having to add code that opts-in to enabling Spectre mitigation.

Most major browsers have also been updated to prevent malicious JavaScript on a website from exploiting the Spectre vulnerability to read from the computer's memory.

The nature of the Spectre variant 2 flaw means that fixes to guard against attacks also have the effect of slowing down computers in certain circumstances. A Microsoft analysis of which systems are likely to be worst affected by applying the Spectre fix found the following:

Most users running Windows 8 and Windows 7 PCs on 2015-era Intel Haswell or older CPUs will notice a decrease in system performance.

Some users running Windows 10 PCs on 2015-era Intel Haswell or older CPUs will notice a decrease in system performance, with "more significant slowdowns" than on newer chips.

Most users running Windows 10 PCs on 2016-era Intel Skylake, Kaby Lake or newer CPUs won't notice a change, due to only "millisecond differences" in operations.

Intel found the same Spectre-related firmware updates can also cause a significant decrease in server performance.

However, the extent of the slowdown was heavily dependent on the nature of the workload and the configuration of the system, with some jobs barely affected and others taking noticeably longer.

The worst affected workloads were those "that incorporate a larger number of user/kernel privilege changes and spend a significant amount of time in privileged mode", according to Intel.

The results found that:

Benchmarks to simulate common enterprise and cloud workloads saw up to two percent performance impact. Intel simulated these workloads using industry-standard measures of integer and floating point throughput, Linpack, STREAM, server-side Java and energy efficiency benchmarks.

In FlexibleIO, a benchmark simulating different types of I/O loads, stressing the CPU with an 100 percent write led to an 18 percent decrease in throughput performance. However, a 70/30 percent read/write model saw a 2 percent decrease in throughput performance, with no throughput impact for 100 percent read.

There was also a wide range of impacts when Intel ran Storage Performance Development Kit (SPDK) tests, which provide a set of tools and libraries for writing high-performance, scalable, user-mode storage applications. Using SPDK iSCSI, Intel found as much as a 25 percent impact while using only a single core. However, using SPDK vHost had no impact.

The potential performance impact on servers is such that Microsoft recommends users "evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment".

Virtualization vendor VMware has also warned that the resulting increase in CPU utilization after applying fixes for Spectre could result in organizations discovering they need to increase the size of clusters of virtual machines where previously they had sufficient capacity.

Will buying a new processor help?

Yes, to an extent, the performance of newer processors appear to suffer less after applying patches against the security flaws.

However, the fact that Spectre exploits a fundamental aspect of modern processor design, one that has delivered significant performance benefits, means that chipmakers can only do so much when designing new processors.

Rewriting the fundamental architecture of modern CPUs will not be a fast process, and in the meantime it will likely mean continuing to use processors that either have some degree of insecurity or perform significantly worse when it comes to certain tasks.